Bug #21787
closed
`IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access
Description
From: https://hackerone.com/reports/3437743
The IO::Buffer implementation in Ruby contains a critical integer overflow vulnerability in its range validation logic. The io_buffer_validate_range function assumes that offset+length never wraps around, allowing an attacker to bypass bounds checking with a carefully chosen large offset value. When the sum overflows, it appears to be within bounds while the actual destination pointer underflows.
Subsequent operations (write/read copies) use this wrapped offset without further validation, enabling out-of-bounds memory access directly from Ruby code.
https://hackerone.com/reports/3437743#activity-38521790
We decided to fix this as a regular bug since
IO::Bufferis experimental.
Updated by nobu (Nobuyoshi Nakada) about 8 hours ago
ยท Edited
- Subject changed from `IO::Buffer` buffer overf to `IO::Buffer` Integer Overflow in Range Validation Leads to Out-of-Bounds Memory Access
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED
Updated by nobu (Nobuyoshi Nakada) about 8 hours ago
- Description updated (diff)
Updated by nobu (Nobuyoshi Nakada) about 8 hours ago
- Description updated (diff)
Updated by nobu (Nobuyoshi Nakada) about 7 hours ago
- Status changed from Open to Closed
Applied in changeset git|c353b625297162024b5a80480664e599dd49a294.
[Bug #21787] IO::Buffer: Check addition overflows